CVE-2021-47132 - Vulnerability Details - OpenCVE

In the Linux kernel, the following vulnerability has been resolved: mptcp: fix sk_forward_memory corruption on retransmission MPTCP sk_forward_memory handling is a bit special, as such field is protected by the msk socket spin_lock, instead of the plain socket lock. Currently we have a code path updating such field without handling the relevant lock: __mptcp_retrans() -> __mptcp_clean_una_wakeup() Several helpers in __mptcp_clean_una_wakeup() will update sk_forward_alloc, possibly causing such field corruption, as reported by Matthieu. Address the issue providing and using a new variant of blamed function which explicitly acquires the msk spin lock.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://git.kernel.org/stable/c/b5941f066b4ca331db225a976dae1d6ca8cf0ae3
https://git.kernel.org/stable/c/b9c78b1a95966a7bd2ddae05b73eafc0cda4fba3
https://lore.kernel.org/linux-cve-announce/2024031514-CVE-2021-47132-80b2@gregkh/T/#u
https://nvd.nist.gov/vuln/detail/CVE-2021-47132
https://www.cve.org/CVERecord?id=CVE-2021-47132

History

No history.

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-03-15T20:14:35.337Z

Updated: 2024-12-19T07:35:50.176Z

Reserved: 2024-03-04T18:12:48.840Z

Link: CVE-2021-47132

Vulnrichment

Updated: 2024-05-23T19:01:18.403Z

NVD

Status : Awaiting Analysis

Published: 2024-03-15T21:15:07.690

Modified: 2024-11-21T06:35:27.780

Link: CVE-2021-47132

Redhat

Severity : Moderate

Publid Date: 2024-03-15T00:00:00Z

Links: CVE-2021-47132 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2021-47132", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-03-04T18:12:48.840Z", "datePublished": "2024-03-15T20:14:35.337Z", "dateUpdated": "2024-12-19T07:35:50.176Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-12-19T07:35:50.176Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix sk_forward_memory corruption on retransmission\n\nMPTCP sk_forward_memory handling is a bit special, as such field\nis protected by the msk socket spin_lock, instead of the plain\nsocket lock.\n\nCurrently we have a code path updating such field without handling\nthe relevant lock:\n\n__mptcp_retrans() -> __mptcp_clean_una_wakeup()\n\nSeveral helpers in __mptcp_clean_una_wakeup() will update\nsk_forward_alloc, possibly causing such field corruption, as reported\nby Matthieu.\n\nAddress the issue providing and using a new variant of blamed function\nwhich explicitly acquires the msk spin lock."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/mptcp/protocol.c"], "versions": [{"version": "64b9cea7a0afe579dd2682f1f1c04f2e4e72fd25", "lessThan": "b9c78b1a95966a7bd2ddae05b73eafc0cda4fba3", "status": "affected", "versionType": "git"}, {"version": "64b9cea7a0afe579dd2682f1f1c04f2e4e72fd25", "lessThan": "b5941f066b4ca331db225a976dae1d6ca8cf0ae3", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/mptcp/protocol.c"], "versions": [{"version": "5.12", "status": "affected"}, {"version": "0", "lessThan": "5.12", "status": "unaffected", "versionType": "semver"}, {"version": "5.12.10", "lessThanOrEqual": "5.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.13", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/b9c78b1a95966a7bd2ddae05b73eafc0cda4fba3"}, {"url": "https://git.kernel.org/stable/c/b5941f066b4ca331db225a976dae1d6ca8cf0ae3"}], "title": "mptcp: fix sk_forward_memory corruption on retransmission", "x_generator": {"engine": "bippy-5f407fcff5a0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-47132", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-18T15:54:25.829185Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:14:35.969Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:24:40.145Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/b9c78b1a95966a7bd2ddae05b73eafc0cda4fba3", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/b5941f066b4ca331db225a976dae1d6ca8cf0ae3", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2021-47132", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-03-04T18:12:48.840Z", "datePublished": "2024-03-15T20:14:35.337Z", "dateUpdated": "2024-06-04T17:14:35.969Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-05-29T05:02:39.810Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix sk_forward_memory corruption on retransmission\n\nMPTCP sk_forward_memory handling is a bit special, as such field\nis protected by the msk socket spin_lock, instead of the plain\nsocket lock.\n\nCurrently we have a code path updating such field without handling\nthe relevant lock:\n\n__mptcp_retrans() -> __mptcp_clean_una_wakeup()\n\nSeveral helpers in __mptcp_clean_una_wakeup() will update\nsk_forward_alloc, possibly causing such field corruption, as reported\nby Matthieu.\n\nAddress the issue providing and using a new variant of blamed function\nwhich explicitly acquires the msk spin lock."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/mptcp/protocol.c"], "versions": [{"version": "64b9cea7a0af", "lessThan": "b9c78b1a9596", "status": "affected", "versionType": "git"}, {"version": "64b9cea7a0af", "lessThan": "b5941f066b4c", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/mptcp/protocol.c"], "versions": [{"version": "5.12", "status": "affected"}, {"version": "0", "lessThan": "5.12", "status": "unaffected", "versionType": "custom"}, {"version": "5.12.10", "lessThanOrEqual": "5.12.*", "status": "unaffected", "versionType": "custom"}, {"version": "5.13", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/b9c78b1a95966a7bd2ddae05b73eafc0cda4fba3"}, {"url": "https://git.kernel.org/stable/c/b5941f066b4ca331db225a976dae1d6ca8cf0ae3"}], "title": "mptcp: fix sk_forward_memory corruption on retransmission", "x_generator": {"engine": "bippy-a5840b7849dd"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-47132", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-18T15:54:25.829185Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:18.403Z"}, "title": "CISA ADP Vulnrichment"}]}}

{"descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix sk_forward_memory corruption on retransmission\n\nMPTCP sk_forward_memory handling is a bit special, as such field\nis protected by the msk socket spin_lock, instead of the plain\nsocket lock.\n\nCurrently we have a code path updating such field without handling\nthe relevant lock:\n\n__mptcp_retrans() -> __mptcp_clean_una_wakeup()\n\nSeveral helpers in __mptcp_clean_una_wakeup() will update\nsk_forward_alloc, possibly causing such field corruption, as reported\nby Matthieu.\n\nAddress the issue providing and using a new variant of blamed function\nwhich explicitly acquires the msk spin lock."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mptcp: corrige la corrupci\u00f3n de sk_forward_memory en la retransmisi\u00f3n El manejo de MPTCP sk_forward_memory es un poco especial, ya que dicho campo est\u00e1 protegido por el socket msk spin_lock, en lugar del bloqueo de socket simple. Actualmente tenemos una ruta de c\u00f3digo que actualiza dicho campo sin manejar el bloqueo relevante: __mptcp_retrans() -> __mptcp_clean_una_wakeup() Varios ayudantes en __mptcp_clean_una_wakeup() actualizar\u00e1n sk_forward_alloc, posiblemente causando dicha corrupci\u00f3n de campo, seg\u00fan lo informado por Matthieu. Solucione el problema proporcionando y utilizando una nueva variante de la funci\u00f3n culpada que adquiere expl\u00edcitamente el bloqueo de giro msk."}], "id": "CVE-2021-47132", "lastModified": "2024-11-21T06:35:27.780", "metrics": {}, "published": "2024-03-15T21:15:07.690", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b5941f066b4ca331db225a976dae1d6ca8cf0ae3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b9c78b1a95966a7bd2ddae05b73eafc0cda4fba3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/b5941f066b4ca331db225a976dae1d6ca8cf0ae3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/b9c78b1a95966a7bd2ddae05b73eafc0cda4fba3"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: mptcp: fix sk_forward_memory corruption on retransmission", "id": "2269818", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2269818"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "draft"}, "cwe": "CWE-414", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nmptcp: fix sk_forward_memory corruption on retransmission\nMPTCP sk_forward_memory handling is a bit special, as such field\nis protected by the msk socket spin_lock, instead of the plain\nsocket lock.\nCurrently we have a code path updating such field without handling\nthe relevant lock:\n__mptcp_retrans() -> __mptcp_clean_una_wakeup()\nSeveral helpers in __mptcp_clean_una_wakeup() will update\nsk_forward_alloc, possibly causing such field corruption, as reported\nby Matthieu.\nAddress the issue providing and using a new variant of blamed function\nwhich explicitly acquires the msk spin lock."], "name": "CVE-2021-47132", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-03-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-47132\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-47132\nhttps://lore.kernel.org/linux-cve-announce/2024031514-CVE-2021-47132-80b2@gregkh/T/#u"], "threat_severity": "Moderate", "upstream_fix": "kernel 5.12.10, kernel 5.13"}